Is Personal Capital Safe? Personal Capital Security Explained

When I tell people I use a tool to do it, they all ask me the same question – is Personal Capital safe?

Security is one of the biggest concerns people have with any financial aggregator or tool. Whether it's Mint, Personal Capital, or some other service – putting your data into the “cloud” can be unnerving. This is especially true given how many hacks we've seen recently. Equifax, one of the biggest credit reporting agencies, was hacked and 143 million consumers had their data stolen. It was enormous.

How do you know that your data is going to be safe at another company?

It comes down to two key parts – how do they safeguard your information when they have it and how do they safeguard the transmission of your information while they get it.

Two Key Security Areas

When it comes to financial apps and security, there are two key pieces to look at:

How Safe is My Data – When you give the tool your data, how is it stored and protected? What is stored and where is it stored? How are the employees monitored to prevent any kind of theft?

How Safe is the Connection – When you communicate with the tool, how secure is that connection? When you log in, when you view your data, when you update anything, when you give them your credentials… the transmission of that data is subject to risk.

The information you put into the system has to be safe in its place of storage. The way you communicate that information must also be secure.

The guy you want to talk to when it comes to security at Personal Capital is Fritz Robbins. He is their Chief Technology Officer and Chief Information Officer. He has over 20 years of experience in their field including a three-year stint as a System Architect at RSA Security and 8 years running his own full-lifecycle software engineering company. He holds an M.S. in Computer Science from Stanford University to boot.

(also, for what it's worth, Personal Capital's Founder Bill Harris co-founded PassMark Security, a company that built online authentication systems used by most major banks, and Fritz Robbins was with that company as well)

I asked Fritz about security and he mentioned a few of the points I'll dive deeper on below:

Fritz Robbins, CTO/CIO of Personal Capital

Our point of view is that viewing your banking and brokerage accounts via Personal Capital is *safer* than going directly to the banking/brokerage site from your browser. You touched on many of the reasons why:

The connection is read-only and no money can be transferred out of your banking/brokerage account via Personal Capital, and your banking/brokerage passwords are never returned to your browser from our servers.

Our service gives you notification of all banking/brokerage transactions (via email or mobile push notifications) that make it easy for you to monitor you banking/brokerage accounts for fraud, all in one place!

Not for nothing but knowing the security chops of the team behind Personal Capital gives me confidence they're on top of their game.

Quick Primer on Encryption

Encryption is fascinating. The basic idea behind encryption is that you have two keys, a public key and a private key.

If you want to encrypt something that only I can read, you need my public key. You encrypt your message with my public key and then give the encrypted message. The only way to decrypt it is by using my private key (which I would never share). If I want to send you something encrypted, I will need your public key to encrypt it. Then only you can decrypt it using your private key.

Fundamentally, modern encrypted communications all work this way. There are variations to make it more secure, depending on your needs (more hoops = more secure = more time).

For example, one classic variation is to rely on “session” keys rather than “permanent” ones. It's like using a temporary credit card number rather than your actual one. For every conversation, you create new keys that expire after the session is over.

Another variation is how we get the public keys to one another. We can just publish them, and that's typically fine, or we can use what's known as the Elliptic Curve Diffie-Hellman (ECDHE) key exchange. It's more temporary keys that only the two of us would use for this single session. This is what Personal Capital uses.

AES-256 is seriously serious encryption.

When you enter your bank credentials into Personal Capital, they encrypt it with AES-256 with multi-layer key management, which includes rotating user-specific keys and salts. AES-256 is the Advanced Encryption Standard (AES) and is the gold standard as determined by NIST, the United States National Institute of Standards and Technology. 256 refers to the length of the key used and 256-bits is a longest. It is also the same encryption used by the US Government.

They never store your financial login credentials. That data is encrypted and stored at Envestnet Yodlee, a platform that powers a laundry list of financial services and wealth management tools and companies. Yodless is periodically audited by the Office of the Comptroller of the Currency and their security processes are available here.

As for internal access controls, no one at Personal Capital has access to your credentials. Zero.

How Safe is the Connection with Personal Capital?

Your data is safe and encrypted on their servers, but it needs to get there first without someone peeking.

That's where encryption plays yet another role.

All of your online interaction with Personal Capital is encrypted, so no one can decipher what you're communicating with Personal Capital servers. They prefer TLS 1.2 but also suppoert TLS 1.1 and TLS 1.0. They do not allow other less-secure protocols. In encryption, you need to exchange keys during a session of communication and they use ECDHE key exchange for Perfect Forward Secrecy (read the encryption primer for more information).

They also require 2-factor authorization. This means that if you log in from an unknown or new device, they will confirm it's you via your phone or email (you pick when you set it up). I feel it's a must for any financial institution and there are some banks who don't have this yet!

Finally, their apps are tested by NowSecure and the AppSecure certification process.

How Personal Capital Protects Against Fraud

To this point, we've talked only about how Personal Capital protects you and your data. What if the data is bad?

What if your credit card gets used in a fraudulent way? Personal Capital monitors your transactions and can send you a Daily Transaction Monitor email that lists everything it has seen that day. Rather than reviewing your statement at the end of the month, you review it daily when your memory is fresh. You may not remember a transaction from two weeks ago but if it happened today, you will.

One point of access for multiple banks means you don't have to log into each of those banks individually. In fact, when you log into your Personal Capital, you never have to enter your bank credentials so it never gets transmitted. If your computer is compromised by malware or a keylogger, your financial accounts are secure.

Nothing Is 100% Safe

If you add another layer to the system, it's another layer that can be attacked.

That said, you have to weight the benefits you get from using them (you can read my Personal Capital review to see everything I like and dislike about them) versus the small chance they could be attacked.

I am personally comfortable with using them but that's ultimately for you to decide. They have put all the proper protections in place, often higher standards than is required, and that's good enough for me.

Get money hacks, shortcuts, & life's cheat codes!

Sign up to get our free newsletter and access to exclusive bonus material, including...
the Wallet Hacks Money Toolbox, a set of power tools to get ahead financially and in life.

About Jim Wang

Jim Wang is a thirty-something father of two who has been featured in the New York Times, Baltimore Sun, Entrepreneur, and Marketplace Money.

He can show you the philosophies, tools, strategies and methods he used to become financially independent and free to pursue what was important.

One of his favorite tools is Personal Capital, which enables him to manage his finances in just 15-minutes each month. They also offer financial planning, such as a Retirement Planning Tool that can tell you if you're on track to retire when you want. It's free.

He is also diversifying his investment portfolio by adding a little bit of real estate. But not rental homes, because he doesn't want a second job, it's diversified small investments in a mix of properties through RealtyShares. Worth a look and he's already made investments that have performed according to plan.

Comments

I agree that nothing is 100% safe, but I personally think Personal Capital is a great tool to use, and will continue to refer newbies to it when it comes to tracking their net worth for the first time. It’s a fantastic resource.

As Seen In

Disclaimer

I am not a financial adviser. The content on this site is for informational and educational purposes only and should not be construed as professional financial advice. Please consult with a licensed financial or tax advisor before making any decisions based on the information you see here.

Advertising disclosure: I may be compensated through 3rd party advertisers but our reviews, comparisons, and articles are based on objective measures and analysis. For additional information, please review our advertising disclosure.

All opinions expressed here are the author's and have not of any other entity including but not limited to banks, credit card issuers, hotels, or airlines. This content has not been reviewed, approved, or endorsed by any entity included within the post.